[gentoo-commits] proj/mysql-extras:master commit in: /

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Robin H. Johnson" <robbat2@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/mysql-extras:master commit in: /
Date: Sat, 21 Apr 2012 20:34:24 +0000 (UTC)	[thread overview]
Message-ID: <1335038606.7aa54c7d20620cbceeed24a65723d7d1c5a60bc4.robbat2@gentoo> (raw)

commit:     7aa54c7d20620cbceeed24a65723d7d1c5a60bc4
Author:     Robin H. Johnson <robbat2 <AT> orbis-terrarum <DOT> net>
AuthorDate: Sat Apr 21 19:54:41 2012 +0000
Commit:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
CommitDate: Sat Apr 21 20:03:26 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/mysql-extras.git;a=commit;h=7aa54c7d

Fix auth bypass discovered by MontyProgram, already fix in last week's MariaDB releases.

---
 00000_index.txt                          |   10 ++++++++++
 07342_all_mysql_auth_bypass-5.1.62.patch |   29 +++++++++++++++++++++++++++++
 07342_all_mysql_auth_bypass-5.5.22.patch |   17 +++++++++++++++++
 3 files changed, 56 insertions(+), 0 deletions(-)

diff --git a/00000_index.txt b/00000_index.txt
index d5cd020..bafb35f 100644
--- a/00000_index.txt
+++ b/00000_index.txt
@@ -767,6 +767,16 @@
 @pn mariadb
 @@ Gentoo Bug #344031: Fix new TEXTRELs
 
+@patch 07342_all_mysql_auth_bypass-5.1.62.patch
+@ver 5.01.62.00 to 5.01.62.99
+@pn mysql
+@@ Upstream bug #64884: auth bypass
+
+@patch 07342_all_mysql_auth_bypass-5.5.22.patch
+@ver 5.05.22.00 to 5.05.22.99
+@pn mysql
+@@ Upstream bug #64884: auth bypass
+
 @patch 10010_all_show_patches-percona-5.0.75-b12.patch
 @ver 5.00.75.00 to 5.00.76.99
 @pn mysql-community

diff --git a/07342_all_mysql_auth_bypass-5.1.62.patch b/07342_all_mysql_auth_bypass-5.1.62.patch
new file mode 100644
index 0000000..63cecf1
--- /dev/null
+++ b/07342_all_mysql_auth_bypass-5.1.62.patch
@@ -0,0 +1,29 @@
+Security bug http://bugs.mysql.com/bug.php?id=64884
+Already fixed in MariaDB 5.1.62+/5.5.23+
+
+Depends on the result of check_scramble being cast to char directly.
+
+diff -Nuar mysql.orig/libmysql/password.c mysql/libmysql/password.c
+--- mysql.orig/libmysql/password.c	2012-04-21 10:58:15.485424022 -0700
++++ mysql/libmysql/password.c	2012-04-21 10:57:34.077773190 -0700
+@@ -531,7 +531,7 @@
+   mysql_sha1_reset(&sha1_context);
+   mysql_sha1_input(&sha1_context, buf, SHA1_HASH_SIZE);
+   mysql_sha1_result(&sha1_context, hash_stage2_reassured);
+-  return memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE);
++  return test(memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE));
+ }
+ 
+ 
+diff -Nuar mysql.orig/sql/password.c mysql/sql/password.c
+--- mysql.orig/sql/password.c	2012-04-21 10:58:18.941478337 -0700
++++ mysql/sql/password.c	2012-04-21 10:57:50.318028470 -0700
+@@ -531,7 +531,7 @@
+   mysql_sha1_reset(&sha1_context);
+   mysql_sha1_input(&sha1_context, buf, SHA1_HASH_SIZE);
+   mysql_sha1_result(&sha1_context, hash_stage2_reassured);
+-  return memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE);
++  return test(memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE));
+ }
+ 
+ 

diff --git a/07342_all_mysql_auth_bypass-5.5.22.patch b/07342_all_mysql_auth_bypass-5.5.22.patch
new file mode 100644
index 0000000..84e306a
--- /dev/null
+++ b/07342_all_mysql_auth_bypass-5.5.22.patch
@@ -0,0 +1,17 @@
+Security bug http://bugs.mysql.com/bug.php?id=64884
+Already fixed in MariaDB 5.1.62+/5.5.23+
+
+Depends on the result of check_scramble being cast to char directly.
+
+diff -Nuar mysql.orig/sql/password.c mysql/sql/password.c
+--- mysql.orig/sql/password.c	2012-03-02 11:44:47.000000000 -0800
++++ mysql/sql/password.c	2012-04-21 10:59:39.502744613 -0700
+@@ -531,7 +531,7 @@
+   mysql_sha1_reset(&sha1_context);
+   mysql_sha1_input(&sha1_context, buf, SHA1_HASH_SIZE);
+   mysql_sha1_result(&sha1_context, hash_stage2_reassured);
+-  return memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE);
++  return test(memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE));
+ }
+ 
+

next             reply	other threads:[~2012-04-21 20:34 UTC|newest]

Thread overview: 300+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-04-21 20:34 Robin H. Johnson [this message]
  -- strict thread matches above, loose matches on Subject: below --
2020-05-23 12:19 [gentoo-commits] proj/mysql-extras:master commit in: / Thomas Deutschmann
2020-03-17  0:57 Thomas Deutschmann
2020-02-03 17:50 Brian Evans
2020-01-25 19:42 Thomas Deutschmann
2020-01-25 19:42 Thomas Deutschmann
2020-01-22 18:27 Thomas Deutschmann
2020-01-22 18:27 Thomas Deutschmann
2020-01-22 18:27 Thomas Deutschmann
2020-01-20 18:28 Thomas Deutschmann
2020-01-20 18:19 Thomas Deutschmann
2020-01-20  2:21 Thomas Deutschmann
2019-10-31  0:50 Thomas Deutschmann
2019-10-30 23:49 Thomas Deutschmann
2019-10-30 23:47 Thomas Deutschmann
2019-10-30  1:24 Thomas Deutschmann
2019-10-30  1:01 Thomas Deutschmann
2019-10-30  1:01 Thomas Deutschmann
2019-10-29 23:58 Thomas Deutschmann
2019-10-29 23:58 Thomas Deutschmann
2019-10-17 18:34 Brian Evans
2019-10-15 17:00 Brian Evans
2019-10-15 16:48 Brian Evans
2019-10-15 16:40 Brian Evans
2019-10-14 19:15 Brian Evans
2019-10-14 18:28 Brian Evans
2019-08-22 19:08 Thomas Deutschmann
2019-08-17  0:24 Thomas Deutschmann
2019-08-17  0:24 Thomas Deutschmann
2019-08-17  0:24 Thomas Deutschmann
2019-08-02 15:49 Thomas Deutschmann
2019-08-02  0:31 Thomas Deutschmann
2019-08-02  0:13 Thomas Deutschmann
2019-07-22 19:21 Brian Evans
2019-06-04 11:30 Thomas Deutschmann
2019-05-24 10:51 Thomas Deutschmann
2019-05-21 18:03 Brian Evans
2019-03-10  2:57 Brian Evans
2019-03-05 20:47 Brian Evans
2019-03-05 20:39 Brian Evans
2019-03-05 20:22 Brian Evans
2019-03-03 18:52 Thomas Deutschmann
2019-03-03 18:44 Thomas Deutschmann
2019-03-03 18:44 Thomas Deutschmann
2019-01-26 19:21 Thomas Deutschmann
2019-01-20 23:10 Brian Evans
2019-01-20 18:22 Brian Evans
2019-01-19 20:42 Brian Evans
2019-01-19 20:38 Brian Evans
2018-12-11 17:34 Brian Evans
2018-11-11 23:17 Thomas Deutschmann
2018-11-04 22:52 Brian Evans
2018-10-23  0:12 Brian Evans
2018-10-17 22:22 Thomas Deutschmann
2018-10-17 22:22 Thomas Deutschmann
2018-10-17 12:24 Thomas Deutschmann
2018-10-17 10:37 Thomas Deutschmann
2018-10-17  0:45 Thomas Deutschmann
2018-10-16 16:17 Thomas Deutschmann
2018-10-16 15:19 Thomas Deutschmann
2018-10-14 23:20 Thomas Deutschmann
2018-10-14 21:03 Thomas Deutschmann
2018-10-13 23:31 Thomas Deutschmann
2018-10-13 23:31 Thomas Deutschmann
2018-10-13 23:31 Thomas Deutschmann
2018-10-13 23:31 Thomas Deutschmann
2018-10-13 23:31 Thomas Deutschmann
2018-08-09 17:01 Brian Evans
2018-08-04 23:23 Brian Evans
2018-06-28  1:08 Brian Evans
2018-06-27 14:29 Brian Evans
2018-06-21  2:05 Brian Evans
2018-06-21  2:02 Brian Evans
2018-05-29  0:35 Brian Evans
2018-05-29  0:35 Brian Evans
2018-05-28  1:05 Brian Evans
2018-05-28  1:03 Brian Evans
2018-05-28  0:28 Brian Evans
2018-05-15 13:34 Brian Evans
2018-05-15  0:59 Brian Evans
2018-03-28 20:33 Brian Evans
2018-03-12 19:54 Brian Evans
2018-03-12 19:54 Brian Evans
2018-03-12 18:10 Brian Evans
2018-03-12 16:39 Brian Evans
2018-03-12 16:26 Brian Evans
2018-03-09 15:32 Brian Evans
2018-03-09 15:12 Brian Evans
2018-03-09 14:02 Brian Evans
2018-03-08 19:38 Brian Evans
2018-03-08 19:38 Brian Evans
2018-02-28 16:11 Brian Evans
2018-02-14  0:43 Thomas Deutschmann
2018-02-14  0:43 Thomas Deutschmann
2018-02-09 21:42 Brian Evans
2017-11-21 15:00 Brian Evans
2017-11-08 20:50 Brian Evans
2017-10-18 19:48 Brian Evans
2017-10-18 13:40 Brian Evans
2017-10-18 13:24 Brian Evans
2017-09-26 13:18 Brian Evans
2017-08-30 12:08 Brian Evans
2017-08-20 22:45 Brian Evans
2017-08-03 18:14 Brian Evans
2017-07-29  1:13 Brian Evans
2017-07-29  1:00 Brian Evans
2017-07-27  0:36 Brian Evans
2017-07-27  0:26 Brian Evans
2017-07-19 16:30 Brian Evans
2017-07-19 13:35 Brian Evans
2017-07-19  1:08 Brian Evans
2017-07-19  1:08 Brian Evans
2017-06-28 18:47 Brian Evans
2017-06-28 17:40 Brian Evans
2017-06-28 17:21 Brian Evans
2017-05-29  2:02 Brian Evans
2017-03-16 13:55 Brian Evans
2017-03-16 13:40 Brian Evans
2017-03-10 14:26 Brian Evans
2017-03-01 21:39 Brian Evans
2017-03-01 20:41 Thomas Deutschmann
2017-01-29  1:26 Brian Evans
2016-12-03 20:41 Thomas Deutschmann
2016-10-19 19:14 Brian Evans
2016-10-19 18:53 Brian Evans
2016-08-18 17:25 Brian Evans
2016-08-18 17:20 Brian Evans
2016-07-21 15:26 Brian Evans
2016-07-21 15:26 Brian Evans
2016-06-28 14:22 Brian Evans
2016-06-28 14:15 Brian Evans
2016-04-27 18:40 Brian Evans
2016-04-27 18:06 Brian Evans
2016-04-27 17:32 Brian Evans
2016-03-07 18:54 Brian Evans
2016-03-07 18:49 Brian Evans
2016-02-12  2:33 Brian Evans
2016-02-12  2:26 Brian Evans
2016-01-31  1:57 Brian Evans
2016-01-31  1:46 Brian Evans
2016-01-21 13:50 Brian Evans
2015-12-22 21:38 Brian Evans
2015-11-23 16:43 Brian Evans
2015-11-17 20:40 Brian Evans
2015-11-05 20:51 Brian Evans
2015-10-19 17:25 Brian Evans
2015-09-11 15:05 Brian Evans
2015-08-05 16:09 Brian Evans
2015-07-29 18:46 Brian Evans
2015-07-17 17:04 Brian Evans
2015-07-10 19:09 Brian Evans
2015-05-09 18:16 Brian Evans
2015-04-10 18:53 Brian Evans
2015-03-10 20:43 Brian Evans
2015-03-04  3:35 git@oystercatcher mirror+tproxy
2015-03-04  3:35 Brian Evans
2015-02-10 17:50 Brian Evans
2015-02-10 17:50 Brian Evans
2015-02-10 15:02 Brian Evans
2015-01-27 13:51 Brian Evans
2015-01-13 18:54 Brian Evans
2014-12-15  2:02 Brian Evans
2014-12-15  1:44 Brian Evans
2014-12-09 23:20 Brian Evans
2014-12-03 19:36 Brian Evans
2014-12-03 19:04 Brian Evans
2014-12-03 18:22 Brian Evans
2014-12-03 18:16 Brian Evans
2014-11-25 14:15 Brian Evans
2014-11-25 13:52 Brian Evans
2014-11-25 13:51 Brian Evans
2014-11-25 13:47 Brian Evans
2014-10-25  2:42 Brian Evans
2014-10-22 20:44 Brian Evans
2014-10-22 19:12 Brian Evans
2014-10-21 17:41 Brian Evans
2014-10-19 19:27 Brian Evans
2014-10-19 19:21 Brian Evans
2014-10-18  0:15 Brian Evans
2014-10-17 14:20 Brian Evans
2014-10-09 14:50 Brian Evans
2014-09-09 18:03 Brian Evans
2014-09-03 19:11 Brian Evans
2014-08-18 23:37 Brian Evans
2014-08-18 23:37 Brian Evans
2014-08-18 23:37 Brian Evans
2014-08-18 23:37 Brian Evans
2014-08-18 20:21 Robin H. Johnson
2014-08-18 20:21 Robin H. Johnson
2014-08-18 20:21 Robin H. Johnson
2014-08-17 23:32 Brian Evans
2014-08-17 23:19 Brian Evans
2014-08-11 23:05 Brian Evans
2014-08-05 18:17 Brian Evans
2014-07-29 18:41 Brian Evans
2014-07-28 23:43 Brian Evans
2014-07-28 22:54 Brian Evans
2014-05-14  0:58 Brian Evans
2014-05-14  0:52 Brian Evans
2014-05-12 18:19 Brian Evans
2014-05-12 18:16 Brian Evans
2014-05-06 19:37 Brian Evans
2014-05-06 19:29 Brian Evans
2014-04-26  3:53 Brian Evans
2014-04-26  1:26 Brian Evans
2014-04-26  0:57 Brian Evans
2014-04-23 16:22 Brian Evans
2014-04-18 15:28 Brian Evans
2014-04-17 19:45 Brian Evans
2014-04-10 15:29 Brian Evans
2014-03-31 18:05 Brian Evans
2014-03-31 17:48 Brian Evans
2014-03-27 17:45 Brian Evans
2014-03-11 15:02 Brian Evans
2014-03-11 14:59 Brian Evans
2014-03-11 14:55 Brian Evans
2014-03-10 20:02 Brian Evans
2014-03-04 15:33 Brian Evans
2014-02-26 18:37 Brian Evans
2014-02-24 14:57 Brian Evans
2014-01-23  3:40 Brian Evans
2014-01-23  0:14 Brian Evans
2014-01-20 14:03 Jorge Manuel B. S. Vicetto
2014-01-20  2:05 Brian Evans
2014-01-20  1:35 Jorge Manuel B. S. Vicetto
2014-01-20  1:08 Jorge Manuel B. S. Vicetto
2014-01-20  1:04 Jorge Manuel B. S. Vicetto
2014-01-19  2:11 Brian Evans
2014-01-18 23:47 Jorge Manuel B. S. Vicetto
2014-01-18 22:40 Jorge Manuel B. S. Vicetto
2013-12-12 15:25 Brian Evans
2013-12-10 18:24 Brian Evans
2013-10-09 19:30 Brian Evans
2013-10-09 19:30 Brian Evans
2013-08-23 18:56 Brian Evans
2013-06-27 12:31 Brian Evans
2013-06-27 12:31 Brian Evans
2013-06-25 15:48 Jorge Manuel B. S. Vicetto
2013-06-06 20:32 Robin H. Johnson
2013-05-28 19:46 Robin H. Johnson
2013-05-28 19:42 Robin H. Johnson
2013-05-28 19:39 Robin H. Johnson
2013-05-28 19:34 Robin H. Johnson
2013-05-28 19:34 Robin H. Johnson
2013-05-28 19:34 Robin H. Johnson
2013-05-28 19:16 Robin H. Johnson
2013-05-01  0:07 Jorge Manuel B. S. Vicetto
2013-04-24 19:49 Jorge Manuel B. S. Vicetto
2013-04-23 23:26 Jorge Manuel B. S. Vicetto
2013-03-01  2:47 Robin H. Johnson
2013-01-28 17:27 Robin H. Johnson
2013-01-20 23:03 Robin H. Johnson
2013-01-19 22:38 Robin H. Johnson
2013-01-19 22:38 Robin H. Johnson
2013-01-18 18:10 Robin H. Johnson
2012-09-06 13:45 Jorge Manuel B. S. Vicetto
2012-09-05 15:11 Jorge Manuel B. S. Vicetto
2012-08-14  1:23 Jorge Manuel B. S. Vicetto
2012-08-07 17:42 Robin H. Johnson
2012-08-06 18:58 Robin H. Johnson
2012-08-02 19:27 Robin H. Johnson
2012-04-21 20:34 Robin H. Johnson
2012-04-16 20:20 Robin H. Johnson
2012-04-01 17:59 Robin H. Johnson
2012-04-01 17:54 Robin H. Johnson
2012-04-01  5:13 Robin H. Johnson
2012-04-01  5:13 Robin H. Johnson
2011-11-18 20:58 Robin H. Johnson
2011-08-19  4:15 Jorge Manuel B. S. Vicetto
2011-08-19  4:04 Jorge Manuel B. S. Vicetto
2011-07-21  2:27 Jorge Manuel B. S. Vicetto
2011-07-21  2:20 Jorge Manuel B. S. Vicetto
2011-07-15 11:17 Jorge Manuel B. S. Vicetto
2011-06-16  2:20 Jorge Manuel B. S. Vicetto
2011-05-10 18:05 Jorge Manuel B. S. Vicetto
2011-04-26  9:51 Robin H. Johnson
2011-04-26  9:48 Robin H. Johnson
2011-04-26  9:23 Robin H. Johnson
2011-04-26  9:15 Robin H. Johnson
2011-04-17 22:42 Robin H. Johnson
2011-04-17 20:10 Robin H. Johnson
2011-04-17 20:10 Robin H. Johnson
2011-04-17 20:10 Robin H. Johnson
2011-04-17  3:40 Jorge Manuel B. S. Vicetto
2011-03-27 21:02 Jorge Manuel B. S. Vicetto
2011-03-27 20:58 Jorge Manuel B. S. Vicetto
2011-03-21  2:23 Jorge Manuel B. S. Vicetto
2011-03-04 12:53 Jorge Manuel B. S. Vicetto
2011-03-02 19:55 Jorge Manuel B. S. Vicetto
2011-02-17 21:05 Jorge Manuel B. S. Vicetto
2011-02-17 21:05 Jorge Manuel B. S. Vicetto
2011-02-17 20:49 Jorge Manuel B. S. Vicetto
2011-02-17 20:36 Jorge Manuel B. S. Vicetto
2011-02-17 12:08 Jorge Manuel B. S. Vicetto
2011-02-17  2:04 Jorge Manuel B. S. Vicetto
2011-02-17  1:47 Jorge Manuel B. S. Vicetto
2011-02-17  1:42 Jorge Manuel B. S. Vicetto
2011-02-17  1:34 Jorge Manuel B. S. Vicetto
2011-02-17  1:25 Jorge Manuel B. S. Vicetto
2011-02-17  1:20 Jorge Manuel B. S. Vicetto

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d5cd020 dfblob:bafb35f dfblob:63cecf1 dfblob:84e306a )
 OR (
bs:"[gentoo-commits] proj/mysql-extras:master commit in: /" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1335038606.7aa54c7d20620cbceeed24a65723d7d1c5a60bc4.robbat2@gentoo \
    --to=robbat2@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox